Ansible Role selinux
This role
sets the state of SELinux using
setenforce
toggles SELinux booleans using
setsebool
sets SELinux file contexts using
semanage fcontext
. It does NOT apply them usingrestorecon
- do this in your role where it fits.manages SELinux ports using
semanage port
Runs on
RHEL 8 (and compatible)
RHEL 9 (and compatible)
Mandatory Requirements
Install the SELinux python bindings. This can be done using the linuxfabrik.lfops.policycoreutils role.
Optional Role Variables
Variable |
Description |
Default Value |
---|---|---|
|
A list of dictionaries containing SELinux booleans to set persistently. Subkeys: |
|
|
A list of dictionaries containing SELinux file contexts. Subkeys: |
|
|
A list of dictionaries containing SELinux ports. Subkeys:
|
|
|
The SELinux state. Possible options: |
|
Example:
# optional
selinux__booleans__host_var:
- key: 'httpd_can_network_connect_db'
value: 'on'
- key: 'httpd_can_sendmail'
value: 'on'
- key: 'httpd_execmem'
value: 'on'
- key: 'httpd_use_nfs'
value: 'on'
selinux__fcontexts__host_var:
- setype: 'httpd_sys_rw_content_t'
target: '/data(/.*)?'
state: 'present'
- setype: 'httpd_sys_rw_content_t'
target: '/var/www/html/nextcloud/.htaccess'
state: 'present'
selinux__ports__host_var:
- setype: 'http_port_t'
port: '8070-8080'
- setype: 'ssh_port_t'
port: 22
selinux__state: 'enforcing'